At its center, NIST CSF comprises five core functions. This article will detail the second of these functions, Protect, and explore the Framework’s five core functions, what the Protect function is and the outcome categories and subcategory activities of this function.
What is the NIST CSF framework core?
The framework core is a set of recommended activities designed to achieve certain cybersecurity outcomes and serves as guidance, not intended to serve as a checklist. The core is composed of five functions that work together to achieve the outcomes mentioned above. These elements are:
Identify Protect Detect Respond Recover
What is the Protect function?
NIST defines the purpose of the Protect function as “(to) develop and implement appropriate safeguards to ensure delivery of critical services.” Just as many experts have made the analogy that the previous function, Identify, was the foundation of the CSF core framework functions, the Protect function can be thought of as framing the rest of the functions yet to come.
Outcome categories and subcategory activities
Each Framework function is composed of outcome categories that describe the kinds of processes and tasks organizations should carry out for that Framework level. The Protect function contains six outcome categories, each of which in turn contains subcategory activities.
Identity Management, Authentication and Access Control
This category is defined as “access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.”
Subcategory activities
Credentials and identities are issued, verified, managed, audited and revoked for authorized devices, processes and users Access (physical) to assets is protected and managed Remote access is managed Access authorizations and permissions are managed while incorporating principles of separation of duties and least privilege Organization network integrity is protected Identities are asserted, proofed and bound to credentials in interactions Devices, users and other organization assets are authenticated commensurate with the relative risk of the transaction
Awareness and Training
NIST defines this category as “the organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.”
Subcategory activities
All users within the organization are informed and trained Privileged users understand their respective responsibilities and roles Third-party stakeholders understand their respective responsibilities and roles Senior executives understand their respective responsibilities and roles Cybersecurity and physical personnel understand their respective responsibilities and roles
Data Security
NIST defines this category as “information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”
Subcategory activities
Data-at-rest is protected Data-in-transit is protected Assets are formally managed during transfers, removal and disposition Sufficient capacity ensuring availability is maintained Data leak protections are implemented Mechanisms for checking integrity are used to verify information, software and firmware integrity Environments are separate for development/testing and production environments Integrity checking mechanisms very hardware integrity
Information Protection Processes and Procedures
NIST defines this category as “security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.”
Subcategory activities
An IT/ICS configuration baseline is created and maintained which incorporates applicable security principles (such as concept of least functionality) System development life cycle is implemented to manage systems Change control configuration processes are in place Information backups are conducted, tested and maintained Regulations and policy concerning the organizational asset physical operating environment are met Data destruction is performed according to policy Protection processes are improved Protection technology effectiveness is shared Recovery and response plans are implemented and managed Recovery and response plans are tested Human resource practices include cybersecurity (for example: personnel screening, deprovisioning) A plan for vulnerability management is developed and implemented
Maintenance
NIST defines this category as “maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.”
Subcategory activities
Repair and maintenance of assets are both performed and logged, with controlled and approved tools Remote asset maintenance is approved, performed and logged in a way that prevents unauthorized access
Protective Technology
NIST defines this category as “technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”
Subcategory activities
Log/audit records are ascertained, implemented, documented and reviewed according to policy Removable media is protected with restricted usage in accordance with policy The least functionality principle is incorporated into information systems by configuring these systems to use only essential capabilities Control networks and communications are protected Resilience mechanisms, for both normal and adverse situations, are implemented to achieve respective resilience requirements for each type of situation
Conclusion
The Protect core framework function is the second function listed in the NIST CSF. This function serves as a frame for the remaining functions, similar to how the Identify function served as the foundation. By applying these outcome categories (and related subcategories) to your organization’s risk management posture, your organization will be well-positioned to execute the remaining functions of the NIST CSF.
Sources
Framework for Improving Critical Infrastructure Cybersecurity, NIST NIST Cybersecurity Framework Series Part 2: Protect, Trend Micro The NIST Cybersecurity Framework – The Protect Function, Compass IT Compliance